Secure your Registration Code with AWS Secrets Manager

Learn how to leverage AWS Secrets Manager as a secret store for the Nano Agent Registration Code (There is an assumption that you are familiar with AWS, IAM, and EKS and how the 3 interact).

Overview

Spyderbat Nano Agent registration code is a unique alpha-numeric combination that is used to associate the installed Nano Agents with your organization in Spyderbat backend and the data. This registration code can only be visible in the Spyderbat UI to the users in your organization with the relevant permissions (check out our article on User Roles nd Permissions for more info).

You may choose to store your organization's Nano Agent Registration Code in the AWS Secrets Manager, to facilitate the use of automation for agent deployment or to adhere to required internal processes, in which case you will need to follow the steps below.

Adding the Agent Registration Code to AWS Secrets Manager

First you will need to store the registration keys in Secrets Manager and get the ARN for it:

aws secretsmanager create-secret --name \<name\> --region \<region\>
- aws secretsmanager put-secret-value --secret-id \<name\> --region \<region\> --secret-string "{\"spyderbat-registration-key\":\"\<key\>\"}"
aws secretsmanager get-secret-value --secret-id \<name\> --region \<region\>

Next step is to create an IAM Policy that allows GetSecretValue and DescribeSecret for it. After that, add the AWS secrets store csi driver to your cluster if it is not already available.

helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts

helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --namespace kube-system --set syncSecret.enabled=true

kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml

Accessing the Agent Registration Code in AWS Secrets Manager

Create a role that will have access to the above mentioned policy and is federated to your eks cluster (see associate-iam-oidc-provider):

eksctl create iamserviceaccount --name spyderbat-serviceaccount --region="<region>" --cluster "<cluster_name>" --attach-policy-arn "<policy_arn>" --approve --namespace spyderbat

eksctl get iamserviceaccount --name spyderbat-serviceaccount --region="<region>" --cluster "<cluster_name>" --namespace spyderbat

Modifying Helm Chart to Query AWS Secrets Manager

Now that you have all those values, you can run a Helm chart install of the Nano Agent to reference that secret and mount it accordingly. You could utilize your own custom values.yaml file or by overriding via --set in the Helm CLI:

aws:
    secretsmanager:
        enabled: true
        rolearn: "<role_arn>"
        secretarn: "<secret_arn>"

helm repo add nanoagent https://spyderbat.github.io/nanoagent_helm/
helm repo update
helm install nanoagent nanoagent/nanoagent \  --set nanoagent.orcurl="<orc_url>" \  --namespace spyderbat \  --create-namespace \  --set CLUSTER_NAME="<cluster_name>"

The steps above represent one of the ways this task could be accomplished. If you have any questions feel free to contact us at [email protected].

Last updated 2 years ago

Was this helpful?

hashtagOverview

hashtagAdding the Agent Registration Code to AWS Secrets Manager

hashtagAccessing the Agent Registration Code in AWS Secrets Manager

hashtagModifying Helm Chart to Query AWS Secrets Manager

Overview

Adding the Agent Registration Code to AWS Secrets Manager

Accessing the Agent Registration Code in AWS Secrets Manager

Modifying Helm Chart to Query AWS Secrets Manager